Cyber agencies warn of BianLian ransomware.
N2K logoMay 18, 2023

BianLian ransomware is in active and ruthless use.

Cyber agencies warn of BianLian ransomware.

Australian and US agencies, specifically the Australian Cyber Security Centre (ACSC), the US Federal Bureau of Investigation (FBI), and the US Cybersecurity and Infrastructure Security Agency (CISA), have issued a joint warning about BianLian ransomware. The criminal group behind it has been especially active against targets in Australia, but it represents a general threat. "The group gains access to victim systems through valid Remote Desktop Protocol (RDP) credentials," the advisory says, adding that it "uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol (FTP), Rclone, or Mega." BianLian had formerly used a double-extortion approach, but has recently shifted toward a model that relies solely on threats to release (as opposed to encrypt or destroy) the victim's data. "BianLian group engages in additional techniques to pressure the victim into paying the ransom; for example, printing the ransom note to printers on the compromised network. Employees of victim companies also reported receiving threatening telephone calls from individuals associated with BianLian group."

A threat to critical infrastructure.

The joint advisory characterizes BianLian as "a ransomware developer, deployer, and data extortion cybercriminal group that has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022." They've also been active against Australian critical infrastructure, but in that country they've been known to hit professional services and property development organizations as well.

Industry reaction to the joint advisory.

Dror Liwer, co-founder of cybersecurity company Coro, sees the criminal determination to turn data into money: “Criminals will always find a way to monetize data they steal. Beyond deploying cyber defenses to protect against data theft, companies must encrypt any data retained, and have clear data retention guidelines. The guiding principle should be: if the data isn't absolutely necessary, it should not be retained. Unencrypted data should not be considered an asset, but rather, a liability.” 

Laurie Mercer, Director of Security Engineering at HackerOne, commented on the enduring criminal preference for extortion:

“Ransomware continues to be the most common ‘end game’ scenario, equating to almost three-quarters of all cyber attacks. In addition, unpatched vulnerabilities were the single most common access method. This is unsurprising when you consider that cybercriminals have CVE databases at their fingertips. Beyond known CVEs, organizations' unknown assets have the potential to pose an even greater risk. One-third of organizations say they observe less than 75% of their attack surface. Where the unknown is so vast, it is no shock that ransomware is on the rise. A simple solution? Using cybercriminals' own strengths against them to protect and patch vulnerabilities by adopting the outsider mindset.

“In the case of both Vulnerability Disclosure Programmes (VDPs) and Vulnerability Research Programmes (VRPs), the outsider mindset is harnessed to complement organizations' offensive security strategy. Ethical hackers are the best solution to match the ingenuity and inventiveness of cybercriminals, who have a multitude of resources and manpower to find vulnerabilities in your unknown assets.

“Organizations should continuously evaluate and improve their security practices, keeping up with the latest threat intelligence, and investing in regular security assessments by skilled security professionals, testers and hackers. Where cybercriminals look for ways onto your system without your permission, businesses that allow ethical hackers to access their systems will ensure unknown entryways are blocked for good. Organizations need to understand that it is not a matter of ‘if’ but ‘when’ they will get attacked. The cost of ransomware is not limited to just the ransom alone but also downtime, reputational damage and profit loss. Therefore, prior investment in VDPs and VRPs will save organizations time, money and reputation in the long run.”

Randeep Gill, Principal Cybersecurity Strategy at Exabeam, noted that ransomware has for some time been eclipsing endpoint security:

“There was a time when endpoint technology stood relatively strong in two key areas. On the one hand, the traditional anti-virus/malware agent served as a stand-alone protector against recognized threats by drawing attention to unusual activity and lowering noise. On the server side, endpoint technologies’ application control helped determine what should be running, how it should be running, and by whom.  

"Unfortunately, endpoint detection and response (EDR) solutions, which were initially designed to identify behavior and were utilized for forensic examination by analysts, also have a high susceptibility to exploitation themselves.If an adversary were to take advantage of an EDR tool, they would have access to variety of an organization's telemetry, including user and identity authentication, access to files, system variables and key business applications. All of which increases the scope through which ransomware can be deployed.

"I want to remind enterprises to go beyond just EDR solutions to improve security posture and mitigate the risk of a ransomware attack. Security teams need complete and holistic visibility across any environment — which includes, but is not limited to, endpoint logs. In order to paint a full picture, CISOs and their security teams must be able to monitor user and device behavior across the whole network to distinguish between normal and anomalous behavior.”

Arti Raman, CEO and founder at Titaniam, thinks the shift away from encryption toward simple exfiltration with a threat to dox the victim is becoming a criminal trend:

"We are starting to see ransomware groups make a switch from data encryption tactics to data extortion, and BianLian ransomware gang is only one example. With the FBI’s announcement, CISOs and cybersecurity professionals need to make data protection a priority and understand the changing security landscape. Ransomware groups like BianLian are no longer set on just stealing data. These groups have begun to target specific information, such as personal identifiable information (PII) and personal health information (PHI), and will leverage this information under threat of exposure. Organizations can no longer assume their defense will be enough to keep criminals outside of their networks. Instead, proactive data security solutions like encryption-in-use and tokenization can help to limit the blast radius of threat actor efforts by ensuring valuable data is unusable even in cases where it is stolen for purposes like extortion." 

Justin McCarthy, CTO and co-founder of StrongDM, makes a case for regular examination of identity and access management in the enterprise:

“We are constantly reminded of the importance of regularly examining identity and access management practices. After all, before ransomware can get disseminated, an adversary has to gain initial access into a network. With Verizon reporting that 61% of all security breaches involve the exploitation of credentials, and StrongDM reporting that 55% of organizations maintain backdoor access to infrastructure, it’s very likely a majority of ransomware incidents are spurred by poor access management practices.

"With as distributed as our world has become, it's imperative that executives and IT teams consider applying the principle of least privilege (PoLP) and take a zero-standing privilege approach. Doing so ensures that credentials only exist in the moments they're needed, that every action is secure and auditable, and that credentials are essentially removed from the equation entirely. By limiting access as much as possible, organizations will reduce their attack surface and help mitigate the risk of ransomware.” 

And Aaron Sandeen, CEO and co-founder of Securin, argues that a recovery plan isn't enough--the damage can be too swift, the cost of recovery too high:

“This is just another reminder of the looming threat of ransomware and how enterprise leaders need to be aware of cyber threats to keep their business safe. Ransomware attacks have continued to terrorize enterprises since the 2017 WannaCry attacks by the Lazarus group. In 2022 alone, IBM reported an average ransom payment of $812,360, with the total cost of a ransomware attack on an enterprise being $4.5 million on average.

"To combat this ever-present threat, organizations need to prioritize the detection and prevention of threats over recovery. Implementing strong security measures across the board, from patching software to employee training, all play a pivotal role in ensuring a strong security posture. Enterprises can eventually recover from a ransomware attack, however, prevention is the ultimate goal for a proactive cybersecurity strategy."